[bluesign]

"Another risk is similar to why you should require a password to be re-entered in order to change a password."

you know that google asks your password when you want to change your password right?

[unloco]

and he is comparing the two. Why ask for password before changing a password? Why not ask for 2FA before changing your 2FA?

[bluesign]

to be honest I am on the side that thinks asking 2FA to disable 2FA is not necessary, now I read my comment again, it sounds like I was on other side.

on both cases, password change and 2FA disable, it is asking password (but not 2FA)

So I think when you are logged in it is 1st factor, 2nd one is password. No need for 3rd one.